Kuliah 11 Audit Dan Tata Kelola Teknologi Informasi

Directly Adopted From References

a. Jack J. Champlain, (2003), Auditing Information Systems,
Second Edition, John Wiley & Sons
b. ISACA, A Business Framework for the Governance and
Management of Enterprise IT
c. BOARD OF STUDIES THE INSTITUTE OF CHARTERED
ACCOUNTANTS OF INDIA, (2010), Information Systems
Control and Audit, The Publication Department on behalf of
The Institute of Chartered, Accountants of India, ICAI
Bhawan, Post Box No. 7100, Indraprastha, Marg, New Delhi-
110 002, India.

BUSINESS CONTINUITY PLANNING AND DISASTER

RECOVERY PLANNING

LEARNING OBJECTIVES :
To develop business continuity plan
6.0 INTRODUCTION
 Business continuity focuses on maintaining the
operations of an organisation, especially the IT
infrastructure in face of a threat that has materialised.
 Disaster recovery, on the other hand, arises mostly
when business continuity plan fails to maintain
operations and there is a service disruption.
 This plan focuses on restarting the operation using a
prioritised resumption list.

6.1 BUSINESS CONTINUITY PLANNING

 Business Continuity Planning (BCP) is the creation and
validation of a practical logistical plan for how an
organization will recover and restore partially or
completely interrupted critical (urgent) functions within a
predetermined time after a disaster or extended
disruption.
 The logistical plan is called a business continuity plan.
 Planning is an activity to be performed before the
disaster occurs or it would be too late to plan an effective
response.
 The resulting outage from such a disaster can have
serious effects on the viability of a firm's operations,
profitability, quality of service, and convenience.
 In fact, these consequences may be more severe
because of the lost time that results from inadequate
planning.
 After such an event, it is typical for senior management
to become concerned with all aspects of the occurrence,
including the measures taken to limit losses.
 Their concerns range from the initiating event and
contributing factors, to the response plans, effective
contingency planning and disaster recovery
coordination.
 Rather than delegating disaster avoidance to the
facilities or building security organisations, it is
preferable for a firm's disaster recovery planner(s) to
understand fully the risks to operations and the
 measures that can minimise the probabilities and
consequences, and to formulate their disaster recovery
plan accordingly.
 When a risk manifests itself through disruptive events,
the business continuity plan is a guiding document that
allows the management team to continue operations.
 It is a plan for running the business under stressful and
time compressed situations.
 The plan lays out steps to be initiated on occurrence of a
disaster, combating it and returning to normal operations
including the quantification of the resources needed to
support the operational commitments.
 Business continuity covers the following areas:
 Business resumption planning : The operation’s piece
of business continuity planning.
 Disaster recovery planning : The technological aspect
of business continuity planning, the advance planning
and preparation necessary to minimise losses and
ensure continuity of critical business functions of the
organisation in the event of disaster.
 Crisis management : The overall co-ordination of an
organisation’s response to a crisis in an effective timely
manner, with the goal of avoiding or minimising damage
to the organisation’s profitability, reputation or ability to
operate.

 The business continuity life cycle is broken down into

four broad and sequential sections:
 risk assessment,
 determination of recovery alternatives,
 recovery plan implementation, and
 recovery plan validation.

 Within each of these lifecycle sections, the applicable

resource sets are manipulated to provide the
organisation with the best mix or critical resource
quantities at optimum costs with minimum tangible and
intangible losses.
 These resource sets can be broken down into the
following components:
  information,
 technology,
 telecommunication,
 process,
 people, and
 facilities.

6.1.1 Objectives and Goals of Business Continuity

Planning
 The primary objective of a business continuity plan is to
minimize loss by minimizing the cost associated with
disruptions and enable an organisation to survive a
disaster and to reestablish normal business operations.
 In order to survive, the organisation must assure that
critical operations can resume normal processing within
a reasonable time frame.
 The key objectives of the contingency plan should be to:
 (i) Provide for the safety and well-being of people on the
premises at the time of disaster;
 (ii) Continue critical business operations;
 (iii) Minimise the duration of a serious disruption to
operations and resources (both information processing
and other resources);
 (iv) Minimise immediate damage and losses;
 (v) Establish management succession and emergency
powers;
 (vi) Facilitate effective co-ordination of recovery tasks;
 (vii) Reduce the complexity of the recovery effort;
 (viii) Identify critical lines of business and supporting
functions;

 Therefore, the goals of the business continuity plan

should be to:
 (i) Identify weaknesses and implement a disaster
prevention program;
 (ii) minimise the duration of a serious disruption to
business operations;
 (iii) facilitate effective co-ordination of recovery tasks;
and
 (iv) reduce the complexity of the recovery effort
6.2 DEVELOPING A BUSINESS CONTINUITY PLAN
 The methodology for developing a business continuity
plan can be sub-divided into eight different phases.
 The extent of applicability of each of the phases has to
be tailored to the respective organisation.
 The methodology emphasises on the following:
 (i) Providing management with a comprehensive
understanding of the total efforts required to develop and
maintain an effective recovery plan;
 (ii) Obtaining commitment from appropriate management
to support and participate in the effort;
 (iii) Defining recovery requirements from the perspective
of business functions;
 (iv) Documenting the impact of an extended loss to
operations and key business functions;
 (v) Focusing appropriately on disaster prevention and
impact minimisation, as well as orderly recovery;
 (vi) Selecting business continuity teams that ensure the
proper balance required for plan development;
 (vii) Developing a business continuity plan that is
understandable, easy to use and maintain; and
 (viii) Defining how business continuity considerations
must be integrated into ongoing business planning and
system development processes in order that the plan
remains viable over time.

 The eight phases are described in detail in the following

paragraphs:
 (i) Pre-Planning Activities (Business continuity plan
Initiation)
 (ii) Vulnerability Assessment and General Definition of
Requirements
 (iii) Business Impact Analysis
 (iv) Detailed Definition of Requirements
 (v) Plan Development
 (vi) Testing Program
 (vii) Maintenance Program
 (viii) Initial Plan Testing and Plan Implementation
6.2.1 Pre-Planning Activity :
 In phase 1, we obtain an understanding of the existing
and projected systems environment of the organisation.
 This enables us to refine the scope of business
continuity planning and the associated work program;
develop schedules; and identify and address issues that
could have an impact on the delivery and the success of
the plan.
 During this phase a Steering Committee should be
established that should undertake an overall
responsibility for providing direction and guidance to the
business continuity planning team.
 The committee should also make all decisions related to
the recovery planning effort.
 The Business Continuity Manager should work with the
Steering Committee in finalising the detailed work plan
and developing interview schedules for conducting the
Security Assessment and the Business Impact Analysis.
 Two other key deliverables of this phase are:
  the development of a policy to support the recovery
programs;
 an awareness program to educate management and
senior individuals who will be required to participate in
the business continuity program.

6.2.2 Vulnerability Assessment and definition of

Requirement :
 Security and control within an organisation is a
continuing concern.
 It is preferable, from an economic and business strategy
perspective, to concentrate on activities that have the
effect of reducing the possibility of disaster occurrence,
rather than concentrating primarily on minimising the
impact of an actual disaster.
 This phase addresses measures to reduce the
probability of occurrence.
 This phase will include the following tasks:
 (i) A thorough Security Assessment of the system and
communications environment including:
  personnel practices;
 physical security;
 operating procedures;
 backup and contingency planning;
 systems development and maintenance;
 database security;
 data and voice communications security;
 systems and access control software security;
 insurance;
 security planning and administration;
 application controls; and
 personal computers.
 (ii) The Security Assessment will enable the business
continuity team to improve any existing emergency plans
and disaster prevention measures and to implement
required emergency plans and disaster prevention
measures where none exist.
 (iii) Present findings and recommendations resulting
from the activities of the Security Assessment to the
Steering Committee so that corrective actions can be
 initiated in a timely manner.
 (iv) Define the scope of the planning effort.
 (v) Analyse, recommend and purchase recovery
planning and maintenance software required to support
the development and maintenance of the plans.
 (vi) Develop a Plan Framework.
 (vii) Assemble business continuity team and conduct
awareness sessions.

6.2.3 Business Impact Analysis :

 Business Impact Analysis (BIA) is essentially a means of
systematically assessing the potential impacts resulting
from various events or incidents.
 It enables the business continuity team to:
 identify critical systems,
 processes and functions,
 assess the economic impact of incidents and disasters
that result in a denial of access to the system,
 services and facilities,
 assess the "pain threshold," that is, the length of time
 business units can survive without access to the system,
services and facilities.

 The business impact analysis is intended to help

understand the degree of potential loss (and various
other unwanted effects) which could occur.
 This will cover not just direct financial loss, but other
issues, such as reputation damage, regulatory effects,
etc.
 A number of tasks are to be undertaken in this phase as
enumerated under:
 (i) Identify organisational risks - This includes single
point of failure and infrastructure risks. The objective is
to identify risks and opportunities and to minimise
potential threats that may lead to a disaster.
 (ii) Identify critical business processes.
 (iii) Identify and quantify threats/ risks to critical business
processes both in terms of outage and financial impact.
 (iv) Identify dependencies and interdependencies of
critical business processes and the order in which they
 must be restored.
 (v) Determine the maximum allowable downtime for
each business process.
 (vi) Identify the type and the quantity of resources
required for recovery e.g. tables chairs, faxes,
photocopies, safes, desktops, printers, etc.
 (vii) Determine the impact to the organisation in the
event of a disaster, e.g. financial reputation, etc.

 There are a number of ways to obtain this information:

 Questionnaires,
 Workshops,
 Interviews,
 Examination of documents

 The BIA Report should be presented to the Steering

Committee.
 This report identifies critical service functions and the
timeframe in which they must be recovered after
interruption.
  The BIA Report should then be used as a basis for
identifying systems and resources required to support
the critical services provided by information processing
and other services and facilities.

6.2.4 Detailed Definition of requirements :

 During this phase, a profile of recovery requirements is
developed.
 This profile is to be used as a basis for analysing
alternative recovery strategies.
 The profile is developed by identifying resources
required to support critical functions identified in Phase
3.
 This profile should include:
 hardware (mainframe, data and voice communication
and personal computers),
 software (vendor supplied, in-house developed, etc.),
 documentation (user, procedures),
 outside support (public networks, DP services, etc.),
 facilities (office space, office equipments, etc.) and
 personnel for each business unit.

 Recovery Strategies will be based on short term,

intermediate term and long term outages.
 Another key deliverable of this phase is the definition of
the plan scope, objectives and assumptions.

6.2.5 Plan Development :

 The objective of this phase is to determine the available
options and formulation of appropriate alternative
operating strategies to provide timely recovery for all
critical processes and their dependencies.
 The recovery strategies may be two-tiered:
 Business - Logistics, accounting, human resources,
etc.
 Technical - Information Technology (e.g. desktop,
client-server, midrange, mainframe computers, data and
voice networks).
 In this phase, recovery plans components are defined
and plans are documented.
 This phase also includes:
 the implementation of changes to user procedures,
 upgrading of existing data processing operating
procedures required to support selected recovery
strategies and alternatives,
 vendor contract negotiations (with suppliers of recovery
services) and
 the definition of recovery teams, their roles and
responsibilities.

 Recovery standards are also developed during this

phase.
 The organisation’s recovery strategy needs to be
developed for the recovery of the core business
processes.
 In the event of a disaster, it is survival and not business
as usual.
6.2.6 Testing the Plan :
 The Testing/Exercising program is developed during this
phase.
 Testing/Exercising goals are established and alternative
testing strategies are evaluated.
 Testing strategies tailored to the environment should be
selected and an on-going testing program should be
established.
 Unless the plan is tested on a regular basis, there is no
assurance that in the event the plan is activated, the
organisation will survive a disaster.
 The objectives of performing BCP tests are to ensure
that:
 The recovery procedures are complete and workable.
 The competence of personnel in their performance of
recovery procedures can be evaluated.
 The resources such as business processes, IS
systems, personnel, facilities and data are obtainable
and operational to perform recovery processes.
 The manual recovery procedures and IT backup
 system/s are current and can either be operational or
restored.
 The success or failure of the business continuity
training program is monitored.

6.2.7 Maintenance Program :

 Maintenance of the plans is critical to the success of
actual recovery.
 The plans must reflect changes to the environment.
 It is critical that existing change management processes
are revised to take recovery plan maintenance into
account.
 In areas where change management does not exist,
change management procedures will be recommended
and implemented.
 The tasks undertaken in this phase are:
 Determine the ownership and responsibility for
maintaining the various BCP strategies within the
organisation
 Identify the BCP maintenance triggers to ensure that
 any organisational, operational, and structural changes
are communicated to the personnel who are accountable
for ensuring that the plan remains up-to-date.
 Determine the maintenance regime to ensure the plan
remains up-to-date.
 Determine the maintenance processes to update the
plan.
 Implement version control procedures to ensure that
the plan is maintained up-to-date.

6.2.8 Testing and Implementation :

 Once plans are developed, initial tests of the plans are
conducted and any necessary modifications to the plans
are made based on an analysis of the test results.
 Specific activities of this phase include the following:
 Defining the test purpose/approach;
 Identifying test teams;
 Structuring the test;
 Conducting the test;
 Analysing test results; and
  Modifying the plans as appropriate.

 The approach taken to test the plans depends largely on

the recovery strategies selected to meet the recovery
requirements of the organisation.
 As the recovery strategies are defined, specific testing
procedures should be developed to ensure that the
written plans are comprehensive and accurate.

6.3 TYPES OF PLANS

 There are various kinds of plans that need to be
designed.
 They include the following:

6.3.1 Emergency Plan :

 The emergency plan specifies the actions to be
undertaken immediately when a disaster occurs.
 Management must identify those situations that require
the plan to be invoked for example:
 major fire,
 major structural damage,
 and terrorist attack.

 The actions to be initiated can vary depending on the

nature of the disaster that occurs.
 If an organisation undertakes a comprehensive security
review program, the threat identification and exposure
analysis phases involve identifying those situations that
require the emergency plan to be invoked.
 When the situations that evoke the plan have been
identified, four aspects of the emergency plan must be
articulated:
 First, the plan must show who is to be notified
immediately when the disaster occurs - management,
police, fire department, medicos, and so on.
 Second, the plan must show actions to be undertaken,
such as shutdown of equipment, removal of files, and
termination of power.
 Third, any evacuation procedures required must be
specified.
  Fourth, return procedures (e.g., conditions that must be
met before the site is considered safe) must be
designated.

 In all cases, the personnel responsible for the actions

must be identified, and the protocols to be followed must
be specified clearly.

6.3.2 Back-up Plan :

 The backup plan specifies:
 the type of backup to be kept,
 frequency with which backup is to be undertaken,
 procedures for making backup,
 location of backup resources,
 site where these resources can be assembled and
operations restarted,
 personnel who are responsible for gathering backup
resources and restarting operations,
 priorities to be assigned to recovering the various
systems, and
 a time frame for recovery of each system.

 For some resources, the procedures specified in the

backup plan might be straightforward.
 For example, microcomputer users might be
admonished to make backup copies of critical files and
store them off site.
 In other cases, the procedures specified in the backup
plan could be complex and somewhat uncertain.
 For example, it might be difficult to specify; exactly how
an organisation’s mainframe facility will be recovered in
the event of a fire.
 The backup plan needs continuous updating as changes
occur.
 For example, as personnel with key responsibilities in
executing the plan leave the organisation, the plan must
be modified accordingly.
 Indeed, it is prudent to have more than one person
knowledgeable in a backup task in case someone is
injured when a disaster occurs.
 Similarly, lists of hardware and software must be
updated to reflect acquisitions and disposals.
 Perhaps the most difficult part in preparing a backup
plan is to ensure that all critical resources are backed
up.
 The following resources must be considered:
 (i) Personnel : Training and rotation of duties among
information system staff so enable them to replace
others when required. Arrangements with another
company for provision of staff.
 (ii) Hardware : Arrangements with another company for
provision of hardware.
 (iii) Facilities : Arrangements with another company for
provision of facilities.
 (iv) Documentation : Inventory of documentation stored
securely on-site and off-site.
 (v) Supplies : Inventory of critical supplies stored
securely on-site and off-site with a list of vendors who
provide all supplies.
 (vi) Data / information : Inventory of files stored securely
 on site and off site.
 (vii) Applications software : Inventory of application
software stored on site and off site.
 (viii) System software : Inventory of system software
stored securely on site and off site.

6.3.3 Recovery Plan :

 The backup plan is intended to restore operations
quickly so the information system function can continue
to service an organisation, whereas, recovery plans set
out procedures to restore full information system
capabilities.
 Recovery plans should identify a recovery committee
that will be responsible for working out the specifics of
the recovery to be undertaken.
 The plan should specify the responsibilities of the
committee and provide guidelines on priorities to be
followed.
 The plan might also indicate which applications are to be
recovered first.
  Members of a recovery committee must understand their
responsibilities.
 Again, the problem is that they will be required to
undertake unfamiliar tasks.
 Periodically, they must review and practice executing
their responsibilities so they are prepared should a
disaster occur.
 If committee members leave the organisation, new
members must be appointed immediately and briefed
about their responsibilities.

6.4 TEST PLAN

 The final component of a disaster recovery plan is a test
plan.
 The purpose of the test plan is to identify deficiencies in
the emergency, backup, or recovery plans or in the
preparedness of an organisation and its personnel for
facing a disaster.
 It must enable a range of disasters to be simulated and
specify the criteria by which the emergency, backup, and
recovery plans can be deemed satisfactory.
 Periodically, test plans must be invoked.
 Unfortunately, top managers are often unwilling to carry
out a test because daily operations are disrupted.
 They also fear a real disaster could arise as a result of
the test procedures.
 To facilitate testing, a phased approach can be adopted:
 First, the disaster recovery plan can be tested by desk
checking and inspection and walkthroughs, much like
the validation procedures adopted for programs.
 Next, a disaster can be simulated at a convenient time-
for example, during a slow period in the day.
 Anyone who will be affected by the test (e.g., personnel
and customers) also might be given prior notice of the
test so they are prepared.
 Finally, disasters could be simulated without warning at
any time.
  These are the acid tests of the organisation’s ability to
recover from a catastrophe.

6.5 THREATS AND RISK MANAGEMENT

 To minimise threats to the confidentiality, integrity, and
availability, of data and computer systems and for
successful business continuity, it can be useful to
evaluate potential threats to computer systems.
 Discussed hereunder are various threats, risks and
exposures to computer systems and suggested control
measures.

Lack of integrity :
 Control measures to ensure integrity include:
 implementation of security policies,
 procedures and standards,
 use of encryption techniques and digital signatures,
 inclusion of data validation,
 editing, and reconciliation techniques for inputs,
processes and outputs,
  updated antivirus software,
 division of job and layered control to prevent
impersonation,
 use of disk repair utility,
 implementation of user identification,
 authentication and access control techniques,
 backup of system and data,
 security awareness programs and training of employees,
 installation of audit trails,
 audit of adequacy of data integrity.

Lack of confidentiality :
 Control measures to ensure confidentiality include:
 use of encryption techniques and digital signatures,
 implementation of a system of accountability by logging
and journaling system activity,
 development of a security policy procedure and
standard,
 employee awareness and training,
 requiring employees to sign a non-disclosure
 undertaking,
 implementation of physical and logical access controls,
 use of passwords and other authentication techniques,
 establishment of a documentation and distribution
schedule,
 secure storage of important media and data files,
 installation of audit trails,
 audit of confidentiality of data.

Lack of system availability :

 Control measures to ensure availability include:
 implementation of software configuration controls,
 a fault tolerant hardware and software for continuous
usage and an asset management software to control
inventory of hardware and software,
 insurance coverage,
 system backup procedure to be implemented,
 implementation of physical and logical access controls,
 use of passwords and other authentication techniques,
 incident logging and report procedure,
  backup power supply,
 updated antivirus software,
 security awareness programs and training of employees,
installation of audit trails , audit of adequacy of
availability safeguards.

Unauthorised users attempt to gain access to the

system and system resources :
 Control measures to stop unauthorised users to gain
access to system and system resources include
identification and authentication mechanism such as:
 passwords,
 biometric recognition devices,
 tokens,
 logical and physical access controls,
 smart cards,
 disallowing the sharing of passwords,
 use of encryption and checksum,
 display of warning messages and regular audit
programs.
  Data transmitted over a public or shared network may be
intercepted by an unauthorised user, security breaches
may occur due to improper use or bypass of available
security features - strong identification and
authentication mechanisms such as biometrics, tokens,
layered system access controls, documentation
procedures, quality assurance controls and auditing.
 Hostile software e.g. virus, worm, Trojan horses, etc.-
 Establishment of policies regarding sharing and external
software usage, updated anti-virus software with
detection, identification and removal tools, use of
diskless PCs and workstations, installation of intrusion
detection tools and network filter tools such as firewalls,
use of checksums, cryptographic checksums and error
detection tools for sensitive data, installation of change
detection tools, protection with permissions required for
the ‘write’ function.

Disgruntled employees :
 Control measures to include installation of physical and
logical access controls, logging and notification of
 unsuccessful logins, use of a disconnect feature on
multiple unsuccessful logins, protection of modem and
network devices, installation of one time use only
passwords, security awareness programs and training of
employees,, application of motivation theories, job
enrichment and job rotation.

Hackers and computer crimes

 Control measures to include:
 installation of firewall and intrusion detection systems,
 change of passwords frequently,
 installation of one time use passwords,
 discontinuance of use of installed and vendor installed
passwords,
 use of encryption techniques while storage and
transmission of data, use of digital signatures,
 security of modem lines with dial back modems,
 use of message authentication code mechanisms,
 installation of programs that control change procedures,
 and prevent unauthorised changes to programs,
  installation of logging features and audit trails for
sensitive information.

Terrorism and industrial espionage :

 Control measures to include:
 usage of traffic padding and flooding techniques to
confuse intruders,
 use of encryption during program and data storage,
 use of network configuration controls,
 implementation of security labels on sensitive files,
 usage of real-time user identification to detect
masquerading,
 installation of intrusion detection programs.

6.5.1 Minimising risks in organisation’s infrastructure :

 A key element in minimising the threat of a disaster
occurring in an organisation is “hardening” the
organisation’s infrastructure from potential sources of
risk.
  Many organisations fail to identify the potential threats
from single points of failure or hazards from
organisations environment e.g. buildings, plant,
equipment and staff.
 The organisation’s infrastructure is at risk from a large
number of potential threats and hazards as depicted in
the table below:

6.5.2 Single Points of Failure Analysis :

 The objective is to identify any single point of failure
within the organisation’s infrastructure, in particular the
information technology infrastructure.
 Single point’s of failure have increased significantly due
to the continued growth in the complexity in the
organisation’s IS environment.
 This growth has occurred due to changes in technology
and customer’s demands for new channels in the
delivery service and/or products, for example E-
Commerce.
 Organisations have failed to respond to increase in the
exposure from single point of failure by not implementing
risk mitigation strategies.
 One common area of risk from single point of failure is
the telecommunication infrastructure.
 Because of its transparency, this potential risk is often
overlooked.
 While the resiliency of network and the mean average
failures of communication devices, e.g. routers, have
improved, it is still a single point of failure in an
organisation that may lead to disaster being declared.
 To ensure single point failures are identified within the
organisations IS architecture at the earliest possible
stage, it is essential, as part of any project, a technology
risk assessment be performed.
 The objectives of risk assessment are to:
 Identify Information Technology risks
 Determine the level of risk
 Identify the risk factors
 Develop risk mitigation strategies

 The benefits of performing a technology risk assessment

are:
 A business-driven process to identify, quantify and
manage risks while detailing future suggestions for
improvement in technical delivery.
 A framework that governs technical choice and
delivery processes with cyclic checkpoints during the
project lifecycle.
 Interpretation and communication of potential risk
impact and where appropriate, risk reduction to a
perceived acceptable level.
 Implementation of strict disciplines for active risk
management during the project lifecycle.
  The technology risk assessment needs to be a
mandatory requirement for all projects to ensure that
proactive management of risks occurs and that no single
point of failure are inadvertently built into the overall
architecture.

6.6 SOFTWARE AND DATA BACK-UP TECHNIQUES

6.6.1 Types of Back-ups :
 When the back-ups are taken of the system and data
together, they are called total system’s back-up.
 System back-up may be:
 a full back-up,
 an incremental back-up or
 a differential back-up.

(i) Full Backup :

 A full backup captures all files on the disk or within the
folder selected for backup.
 With a full backup system, every backup generation
contains every file in the backup set.
 However, the amount of time and space such a backup
takes prevents it from being a realistic proposition for
backing up a large amount of data.

(ii) Incremental Backup :

 An incremental backup captures files that were created
or changed since the last backup, regardless of backup
type.
 This is the most economical method, as only the files
that changed since the last backup are backed up.
 This saves a lot of backup time and space.
 Normally, incremental backup are very difficult to
restore.
 You will have to start with recovering the last full backup,
and then recovering from every incremental backup
taken since.

(iii) Differential Backup :

 A differential backup stores files that have changed
since the last full backup.
 Therefore, if a file is changed after the previous full
backup, a differential backup takes less time to complete
than a full back up.
 Comparing with full backup, differential backup is
obviously faster and more economical in using the
backup space, as only the files that have changed since
the last full backup are saved.
 Restoring from a differential backup is a two-step
operation:
 Restoring from the last full backup;
 restoring the appropriate differential backup.
 The downside to using differential backup is that each
differential backup will probably include files that were
already included in earlier differential backups.

(iv) Mirror back-up :

 A mirror backup is identical to a full backup, with the
exception that the files are not compressed in zip files
and they can not be protected with a password.
  A mirror backup is most frequently used to create an
exact copy of the backup data.

6.7 ALTERNATE PROCESSING FACILITY

ARRANGEMENTS
 Security administrators should consider the following
backup options:
(i) Cold site :
 If an organisation can tolerate some downtime, cold-site
backup might be appropriate.
 A cold site has all the facilities needed to install a
mainframe system-raised floors, air conditioning, power,
communication lines, and so on.
 An organisation can establish its own cold-site facility or
enter into an agreement with another organisation to
provide a cold-site facility.

(ii) Hot site :

 If fast recovery is critical, an organisation might need hot
site backup.
 All hardware and operations facilities will be available at
the hot site.
 In some cases, software, data and supplies might also
be stored there.
 A hot site is expensive to maintain.
 They are usually shared with other organisations that
have hot-site needs.

(iii) Warm site :

 A warm site provides an intermediate level of backup.
 It has all cold-site facilities plus hardware that might be
difficult to obtain or install.
 For example, a warm site might contain selected
peripheral equipment plus a small mainframe with
sufficient power to handle critical applications in the
short run.

(iv) Reciprocal agreement :

 Two or more organisations might agree to provide
backup facilities to each other in the event of one
suffering a disaster.
 This backup option is relatively cheap, but each
participant must maintain sufficient capacity to operate
another’s critical system.

 If a third-party site is to be used for backup and recovery

purposes, security administrators must ensure that a
contract is written to cover issues such as:
 (1) how soon the site will be made available subsequent
to a disaster,
 (2) the number of organisations that will be allowed to
use the site concurrently in the event of a disaster,
 (3) the priority to be given to concurrent users of the site
in the event of a common disaster,
 (4) the period during which the site can be used,
 (5) the conditions under which the site can be used.
 (6) the facilities and services the site provider agrees to
make available, and
  (7) what controls will be in place and working at the off-
site facility.

 These issues are often poorly specified in reciprocal

agreements.
 Moreover, they can be difficult to enforce under a
reciprocal agreement because of the informal nature of
the agreement.

6.8 BACK-UP REDUNDANCY

Multiple Backup Media :
 For data of high importance it is absolutely unacceptable
to have a situation of data loss.
 Therefore, single point of failure such as failed backup
disk that destroys the entire backup history should be
eliminated.

Off-Site Backup :
 off-Site backup is done to keep at least one copy of your
redundant backups in an alternative location.
  In case the size of the backup is considerably big
(>10GB), cost of high-speed link, security issues, and
backup time will rule out the idea of backing up through
high-speed links.
 A practical solution would be to take a backup into a
removable backup disk, which will be shuttled out of your
site into a secure location.

Where to Keep the Backups :

 If removable-media backups are kept next to the
computer, a fire or other disaster will probably destroy
both.
 A secure off-site location is best. Consider keeping one
backup disk in the office and the other one or two off-
site.

Media - Rotation –
 Tactics : Once in a while, rotate the active backup media
with one of the offsite stored media.
  This will update the offsite media with the latest data
changes.
 To reduce data loss in case of a major disaster, it is
recommended to daily switch the active backup media
with one of the stored.

6.8.1 Types of Back-up Media :

 The most common types of backup media available on
the market today include :
(i) Floppy Diskettes :
 Floppy diskettes were available with most desktop
computers earlier and they were the cheapest back-up
solution.
 However, these drives have been discontinued due to
low storage capacity and are slow.

(ii) DVD Disks :

 DVD (also known as "Digital Versatile Disc" or "Digital
Video Disc") is a popular optical disc storage media
format.
 Its main uses are video and data storage.
 Most DVDs are of the same dimensions as compact
discs (CDs) but store more than six times as much data.

(iii) Tape Drives :

 Tape drives are the most common backup media around
due to their low cost.
 The average capacity of a tape drive is 4 to 10 GB.
 The drawbacks are that they are relatively slow when
compared with other media, and can tend to be
unreliable.
 Magnetic tape cartridges are used to store the data,
which leaves it susceptible to loss of information over
time or through breaking/stretching the tape.

(iv) Disk Drives :

 Disk drives are very fast compared to tape drives.
 The disk drive rotates at a very fast pace and has one or
more heads that read and write data.
 If an organisation is looking for a fast method of backup
and recovery then disk drives is the way to go – the
difference in speed between a tape drive and a disk
drive is hours compared to minutes, respectively.

(v) Removable Disks :

 Using a removable disk such as a ZIP/JAZ drive is
becoming increasingly popular for the backup of single
systems.
 They are quite fast, not that expensive and easy to
install and carry around.

(vi) DAT (Digital Audio Tape) drives :

 DAT drives are similar to a standard tape drive but they
have a larger capacity.
 They are fast becoming popular and are slowly replacing
the tape drive.
 The tapes come in DLT (Digital Linear Tape), SDLT
(Super Digital Linear Tape), LTO (Linear Tape Open)
 and AIT (Advanced Intelligent Tape) format, offering up
to 260GB of compressed data.
 The image below shows a typical HP DAT drive.

Fig. 6.8.1 : Digital audio tape drives

(vii) Optical Jukeboxes :

 Optical Jukeboxes use magnetic optical disks rather
than tapes to offer a high capacity backup solution.
 They are extremely expensive but offer excellent
amounts of secure storage space, ranging from 5 to 20
terabytes.
 A jukebox is a tower that automatically loads internally
stored disks when needed for backup and recovery –
 just add a certain amount of CDs or DVDs when you first
set it up, maintenance is relatively low.
 The image below shows a standard tower optical
jukebox:

Fig. 6.8.2 : Optical Jukebox

(viii) Autoloader Tape Systems :

 Autoloader tape systems use a magazine of tapes to
create extended backup volumes.
 They have a built-in capability of automatically loading or
unloading tapes.
 Autoloaders use DAT tapes that come in DLT, LTO and
AIT format.
 By implementing a type library system with multiple
drives you can improve the speed of a backup to
hundreds of Gigabytes per hour.
 Below is an image showing a typical Autoloader tape
system :

(ix) USB Flash Drive :

 USB flash Drive Plugs into the USB Port on laptop, PC,
or Workstation.
 The USB flash Drive is available in various sizes.
 This Drive takes advantage of USB Plug and Play
capability Saves and backs-up Documents and any File
presentations which provides an excellent solution for
mobile and storing data as a reliable Data retention
media.
(x) Zip Drive :
 Zip Drive is a small, portable disk drive used primarily for
backing up and archiving personal computer files.
 Zip drives and disks come in various sizes.
 Zip drive comes with a software utility that provides the
facility of copy the entire contents of hard drive to one or
more Zip disks.
 The Zip drive can be purchased in either a Parallel or a
Small Computer System Interface (SCSI) version.
 In the parallel version, a printer can be chained off the
Zip drive so that both can be plugged into your
computer’s parallel port.
 In addition to data backup, following are the suggestions
for its additional uses :
 Archiving old e-mail or other files that are not in use
any more but might be accessed someday.
 Storing unusually large files, such as graphic images
that you need infrequently Exchanging large files with
someone
 Putting your system on another computer, perhaps a
 portable computer
 Keeping certain files separate from files on your hard
disk (for example, personal finance files) There are a
substantial amount of tools and media available for
backing up data. When making your selection, there are
five fundamental factors that you should base your
decision on.
 Speed : How fast can you backup and restore data
using this media?
 Reliability : Can you risk purchasing media that’s
known to have reduced reliability to save on costs?
 Capacity : Is the media big enough for your backup
load?
 Extensibility : If the amount of data grows, will the
media support this demand?
 Cost : Does the solution you want fit into your budget?

6.8.2 Backup Tips

 (i) Draw up a simple (easy to understand) plan of who
will do what in the case of an emergency.
 (ii) Be organized! Keep a record of what was backed up,
when it was backed up and which backup media
contains what data. You can also make a calendar of
which type of backup is due on a certain date.
 (iii) Utilize the Volume Shadow Copy (VSS) service in
Windows Server 2003. This feature allows you to create
point-in-time copies of data so that they can be restored
and reverted to at any given time. For instance, if a user
created a Word document yesterday and decides that he
wants to revert to it today, he can do so using VSS.
 (iv) Select the option to verify backup, the process will
take a little longer but it’s definitely worth the wait.
 (v) Create a reference point where you know everything
is working properly. It will be quicker to restore the
changes from tape.
 (vi) Select the option to restrict restoring data to owner or
administrator and also set the Domain Group Policy to
restrict the Restore privilege to Administrators only. This
will help to reduce the risk of someone being able to
restore data should the media be stolen.
  (vii) Create a step-by-step guideline (a flowchart for
example) clearly outlining the sequence for the retrieval
and restoration of data depending on the state of the
system.

6.9 DISASTER RECOVERY PROCEDURAL PLAN

 The disaster recovery and planning document may
include the following areas:
 The conditions for activating the plans, which describe
the process to be followed before each plan, are
activated.
 Emergency procedures, which describe the actions to
be taken following an incident which jeopardises
business operations and/or human life. This should
include arrangements for public relations management
and for effective liaison with appropriate public
authorities e.g. police, fire, services and local
government.
 Fallback procedures which describe the actions to be
taken to move essential business activities or support
 services to alternate temporary locations, to bring
business process back into operation in the required
time-scale.
 Resumption procedures, which describe the actions to
be taken to return to normal business operations.
 A maintenance schedule, which specifies how and
when the plan will be tested, and the process for
maintaining the plan.
 Awareness and education activities, which are
designed to create an understanding of the business
continuity, process and ensure that the business
continues to be effective.
 The responsibilities of individuals describing who is
responsible for executing which component of the plan.
Alternatives should be nominated as required.
 Contingency plan document distribution list.
 Detailed description of the purpose and scope of the
plan.
 Contingency plan testing and recovery procedure.
 List of vendors doing business with the organisation,
 their contact numbers and address for emergency
purposes.
 Checklist for inventory taking and updating the
contingency plan on a regular basis.
 List of phone numbers of employees in the event of an
emergency.
 Emergency phone list for fire, police, hardware,
software, suppliers, customers, back-up location, etc.
 Medical procedure to be followed in case of injury.
 Back-up location contractual agreement,
correspondences.
 Insurance papers and claim forms.
 Primary computer centre hardware, software,
peripheral equipment and software configuration.
 Location of data and program files, data dictionary,
documentation manuals, source and object codes and
back-up media.
 Alternate manual procedures to be followed such as
preparation of invoices.
 Names of employees trained for emergency situation,
 first aid and life saving techniques.
 Details of airlines, hotels and transport arrangements.

6.10 INSURANCE
 The purpose of insurance is to spread the economic cost
and the risk of loss from an individual or business to a
large number of people.
 This is accomplished through the use of an insurance
policy.
 Policies are contracts that obligate the insurer to
indemnify the policyholder or some third party from
specific risks in return for the payment of a premium.
 Adequate insurance coverage is a key consideration
when developing a business recovery plan and
performing a risk analysis.
 Most insurance agencies specialising in business
interruption coverage can provide the organisation with
an estimate of anticipated business interruption costs.
 Most business interruption coverage includes lost
revenues following a disaster.
 Extra expense coverage includes all additional expenses
until normal operations can be resumed.
 Policies usually can be obtained to cover the following
resources:
 Equipment : Covers repair or acquisition of hardware.
It varies depending on whether the equipment is
purchased or leased.
 Facilities : Covers items such as reconstruction of a
computer room, raised floors, special furniture.
 Storage media : Covers the replacement of the storage
media plus their contents – data files, programs,
documentation.
 Business interruption : Covers loss in business income
because an organisation is unable to trade.
 Extra expenses : Covers additional costs incurred
because an organisation is not operating from its normal
facilities.
 Valuable papers : Covers source documents, pre-
printed reports, and records documentation, and other
valuable papers.
  Accounts receivable : Covers cash-flow problems that
arise because an organisation cannot collect its
accounts receivable promptly.
 Media transportation : Covers damage to media in
transit.
 Malpractice, errors: Covers claims against an
organisation by its customers, and omission e.g., claims
and omission made by the clients of an outsourcing
vendor or service bureau.

6.10.1 Kinds of Insurance :

 To understand the role insurance might play in
establishing information security standards, it is useful to
review the types of insurance that might be utilized.
 Insurance is generally divided into two general classes
based upon whether the insured is the injured party.
 Lawyers call these two divisions first-party and third-
party insurance.
 First-party insurance identifies claims by the policyholder
against their own insurance.
 Third-party insurance is designed to protect against
claims made against the policyholder and his insurer for
wrongs committed by the policyholder.
 The most common form of first-party insurance is
property damage, while the most common form of third-
party insurance is liability.

(a) First-party Insurances - Property Damages :

 Perhaps the oldest insurance in the world is that
associated with damage to property.
 It is designed to protect the insured against the loss or
destruction of property.
 It is offered by the majority of all insurance firms in the
world and uses time-tested forms, the industry term for a
standard insurance contract accepted industry-wide.
 This form often defines loss as “physical injury to or
destruction of tangible property” or the “loss of use of
tangible property which has not been physically injured
or destroyed.”
 Such policies are also known as all risks, defined risk, or
casualty insurance.

(b) First-party Insurances - Business Interruption :

 If an insured company fails to perform its contractual
duties, it may be liable to its customers for breach of
contract.
 One potential cause for the inability to deliver might be
the loss of information system, data or communications.
 Some in business and the insurance industry have
attempted to mitigate this by including information
technology in business recovery/disaster plans.
 As a result, there has emerged a robust industry in hot
sites for companies to occupy in case of fire, flood,
earthquake or other natural disaster.
 Disaster recovery has become a necessity in the
physical world.
 While the role of disaster recovery is well understood in
business, the insurance industry was slow to accept the
 indemnity role relative to insuring data in a business
interruption liability insurance context.
 Insurers are generally aggressive in limiting their own
liability and have, in a number of instances, argued that
a complete cessation of business is necessary to claim
damage.

(c) Third-party Insurance – General Liability :

 Third party insurance is designed to protect the insured
from claims of wrongs committed upon others.
 It is in parts based on the legal theory of torts.
 Torts are civil wrongs which generally fit into three
categories – intentional, negligent and strict liability.
Intentional torts are generally excluded from liability
insurance policies because they are foreseeable and
avoidable by the insured.
 Strict liability torts, such as product liability issues, are
generally covered under specialised liability insurance.
 Generally liability policies include comprehensive,
umbrella and excess liability policies. Insured parties are
 exposed to the risk of liability whenever they violate
some duty imposed on, or expected of, parties’ relative
to each other or society in general.
 In the cyber environment this can rake many forms.
 If the insured’s computer damages another party’s
computer, data connectivity, then the insured may be
held liable.
 A company might be held liable if the computer system
was used in connection with a denial-of-service attack.
 The insured may be also held liable for failing to protect
adequately the privacy interests of parties who have
been entrusted information to the care of the insured.

(v) Third-party Insurance - Directors and Officers :

 Errors and Omissions (E&O) insurance is protection
from liability arising from a failure to meet the
appropriate standard of care for a given profession.
 Two common forms of E & O insurance are directors
and officers, and professional liability.
  Directors and officers insurance is designed to protect
officers of companies, as individuals, from liability arising
from any wrongful acts committed in the course of their
duties as officers.
 These policies usually are written to compensate the
officer’s company for any losses payable by the
company for the acts of its officer’s.

6.11 TESTING METHODOLOGY AND CHECKLIST

 With good planning a great deal of disaster recovery
testing can be accomplished with moderate expenditure.
There are four types of tests:

(i) Hypothetical :
 The hypothetical test is an exercise to verify the
existence of all necessary procedures and actions
specified within the recovery plan and to prove the
theory of those procedures.
 It is a theoretical check and must be conducted
regularly.
 This exercise is generally a brief one designed to look at
the worst case for equipment, ensuring that the entire
plan process is reviewed.

(ii) Component :
 A component is the smallest set of instructions within the
recovery plan which enables specific processes to be
performed.
 For example the process “System Load/IPL” involves a
series of commands to load the system.
 However, in the recovery situation this may be different
from normal operational requirements.
 Certain functions need to be enabled or disabled to suit
the new environment.
 If this is not fully tested incompatibility problems with
other components are likely.
 Component testing is designed to verify the detail and
accuracy of individual procedures within the recovery
plan and can be used when no additional system can be
made available for extended periods.
 Examples of component tests include:
 back-up procedures,
 offsite tape storage recovery,
 technology and network infrastructure assembly,
 recovery and restoration procedures and security
package start-up procedures.

(iii) Module :
 A module is a combination of components.
 The ideal method of testing is that each component be
individually tested before being included in a module.
 The aim of module testing is to verify the validity and
functionality of the recovery procedures when multiple
components are combined.
 If one is able to test all modules, even if unable to
perform a full test, then one can be confident that the
business will survive a major disaster.
 It is when a series of components are combined without
individual tests that difficulties occur.
 Examples of module testing include:
 alternate site activation,
 system recovery,
 network recovery,
 application recovery,
 database recovery and
 run production processing.

(iv) Full :
 The full test verifies that each component within every
module is workable and satisfies the strategy and
recovery time objective detailed in the recovery plan.
 The test also verifies the interdependencies of various
modules to ensure that progression from one module to
another can be effected without problem or loss of data.
 The two main objectives associated with full test are:
 To confirm that the total time elapsed meets the
recovery time objective.
 To prove the efficiency of the recovery plan to ensure a
smooth flow from module to module.
6.11.1 Setting objectives :
 Each test is designed around a worst-case scenario for
equipment as this will ensure the entire plan is examined
for all possible disastrous situations.
 Only when every requirement associated with each
component has been documented and verified can the
recovery plan be said to be complete and functional.
 Test objectives should include :
 Recovery of systems at the standby site, and
establishment of an environment to enable full
accommodation of the nominated applications.
 A fully documented set of procedures to obtain and
utilise offsite tapes to restore the system and critical
applications to the agreed recovery point, as set out in
the recovery plan.
 Recovery of system/application/network/database data
from the offsite/backup tapes.
 Detailed documentation on how to restore the
production data as stipulated in the recovery plan, to the
 agreed recovery point.
 Fully documented procedures for establishing
communication lines/ equipment to enable full availability
and usage by appropriate areas e.g. business units, data
entry, users, etc.
 Established communication lines/equipment as set out
in the plan.
 Examination of the designated alternative sites and
confirmation of all components are also noted in the
plan.

6.11.2 Defining the Boundaries :

 Test boundaries are needed to satisfy the disaster
recovery strategy, methodology and processes.
 The management team also must consider future test
criteria to ensure a realistic and obtainable progression
to meet the end objectives.
 Opportunities to test actual recovery procedures should
be taken wherever possible e.g. purchase of new
additional equipment, vendor agreements.
  Management must also decide whether or not to include
internal (auditors/management) or external (data security
services) observers or a combination of both.

6.11.3 Scenario :
 The scenario is the description of the disaster and
explains the various criteria associated with such a
disaster.
 For example the scenario must outline what caused the
disaster and the level of damage sustained to the
equipment and facilities, and whether or not anything
can be salvaged from the wreckage.
 The purpose is not to get bogged down in great details
but to explain to all the participants what is, or is not
available, what tools can, or cannot be used, the
objective of the exercise, the time of the disaster, and
the planned recovery points.

6.11.4 Test Criteria :

 Not all tests require all personnel to attend.
  The test criteria advise all participants including
observers as appropriate, where they are to be located
and the time/day the exercise will take place.
 The role of the observer is to give an unbiased view and
to comment on the area of success or concern to assist
in future testing.

6.11.5 Assumption :
 Assumptions will need to be made.
 They allow a test to achieve the results without being
bound by other elements of the recovery plan, which
may not yet have been verified.
 Assumptions allow prerequisites of a particular
component/module to be established outside the test
boundaries.
 Examples include:
 All technical information documented in the plan,
including appendices, are complete and accurate.
 All purchases (equipment, furniture, etc.) can be made
in the recovery time required.
  Tapes and other equipment recalled from offsite are
valid and useable.

6.11.6 Test Prerequisites :

 Before any test is attempted, the recovery plan must be
verified as being fully documented in all sections,
including all appendices and attachments that have been
referenced to in each process.
 Each of the participating teams in the test must be aware
of how their role relates to other teams, when and how
they are expected to perform their tasks, and what tools
are permissible.
 It is the responsibility of each team leader to keep a log
of proceedings for later discussion and action to prepare
better for future tests.

6.11.7 Briefing session :

 No matter whether it is hypothetical, component, module
or full test, a briefing session for the teams is necessary.
 The boundaries of the test are explained and the
opportunities to discuss any technical uncertainties are
provided.
 Depending on the complexity of the test, additional
briefing sessions may be required to outline the general
boundaries, discuss technical queries, and brief the
senior management on the test objectives.
 The size of the exercise and the number of staff involved
will determine the time between the briefing sessions
and the test.
 However, this time period must provide sufficient
opportunity for personnel to prepare adequately
particularly the technical staff.
 It is recommended that the final briefing be held not
more than two days prior to a test date to ensure all
activities are fresh in the minds of the participants and
the test is not impacted through misunderstandings or
tardiness.
 An agenda could be:
 (i) Team objectives
  (ii) Scenario of disaster
 (iii) Time of the test
 (iv) Location of each team
 (v) Restrictions on specific teams
 (vi) Assumptions of the test
 (vii) Prerequisites for each team

6.11.8 Checklists :
 Checklists provide the minimum preparation for all test
types.
 Checklists are directly related to specific modules of the
recovery plan and all sections relevant to particular test
must be verified as complete before a test date is set.
 As these checklists follow various modules associated
with the recovery plan, only those parts applicable to the
forthcoming test are compulsory prerequisites for that
test.
 However, it is recommended that all sections of the
checklist be completed as soon as possible.
  Checklists showing the details required are provided in
the following section.

6.11.9 Analysing the test :

 While testing is beneficial, the effective recovery plan
can be achieved only by constructive analysis of each
test and its result through a post-mortem.
 This also maintains the momentum gained from the test,
which is critical to the process of building a workable
plan.
 Many staff perceives disaster recovery as an additional
workload.
 However, over time through constructive and regular
involvement, staffs develop a greater commitment.

6.11.10 Debriefing session :

 If the company has a dedicated Disaster Recovery Plan
(DRP) team or co-ordinator assigned permanently, the
team or co-ordinator would have the responsibility of
conducting the briefing and debriefing sessions.
 If not, then the responsibility lies with the command team
leader.
 The format is to discuss the results of the findings of the
test with a view of improving the recovery plan for future
exercises.
 From these discussions, a set of objectives is developed
for later inclusion into the report.
 An agenda could be:
 (i) Overall performance
 (ii) Team performance
 (iii) Observations
 (iv) Areas of concern
 (v) Next test ( type and time)
 (vi) Test report

 Each team leader has the responsibility of maintaining a

log of events during each test.
 The information gathered from these logs, in addition to
the post-mortem report by the test manager is used to
produce the test report.
  Any areas for improvement are noted for action,
assigned to the appropriate team member and given a
realistic completion date.
 A typical format could be:
(i) Executive summary
(ii) Objective results
(iii) Performance
(iv) Overall teams and list of actions
(v) Conclusion

6.12 AUDIT TOOLS AND TECHNIQUES

 The best audit tool and technique is a periodic simulation
of a disaster.
 Other audit techniques would include observations,
interviews, checklists, inquiries, meetings,
questionnaires and documentation reviews.
 These tools and methods may be categorised as under:

i. Automated Tools :
 Automated tools make it possible to review large
computer systems for a variety of flaws in a short time
period.
 They can be used to find threats and vulnerabilities such
as weak access controls, weak passwords, lack of
integrity of the system software, etc.

ii. Internal Control Auditing :

 This includes inquiry, observation and testing.
 The process can detect illegal acts, errors, irregularities
or lack of compliance of laws and regulations.

iii. Disaster and Security Checklists :

 A checklist can be used against which the system can
be audited.
 The checklist should be based upon disaster recovery
policies and practices, which form the baseline.
 Checklists can also be used to verify changes to the
system from contingency point of view.
 iv. Penetration Testing :
 Penetration testing can be used to locate vulnerabilities.

6.13 AUDIT OF THE DISASTER RECOVERY/BUSINESS

RESUMPTION PLAN
(i) Determine if a disaster recovery/business
resumption plan exists and was developed using a
sound methodology that includes the following
elements:
 Identification and prioritisation of the activities which
are essential to continue functioning.
 The plan is based upon a business impact analysis
that considers the impact of the loss of essential
functions.
 Operations managers and key employees participated
in the development of the plan.
 The plan identifies the resources that will likely be
needed for recovery and the location of their availability.
 The plan is simple and easily understood so that it will
be effective when it is needed.
 The plan is realistic in its assumptions.

(ii) Determine if information backup procedures are

sufficient to allow for recovery of critical data.
(iii) Determine if a test plan exists and to what extent the
disaster recovery/business resumption plan has
been tested.
(iv) Determine if resources have been made available to
maintain the disaster recovery/business resumption
plan and keep it current.
(v) Obtain and review the existing disaster recovery/
business resumption plan.
(vi) Obtain and review plans for disaster recovery/
business resumption testing and/or documentation
of actual tests
(vii) Obtain and review the existing business impact
analysis.
(viii) Gather background information to provide criteria
and guidance in the preparation and evaluation of
disaster recovery/ business resumption plans.
(ix) Determine if copies of the plan are safeguarded by
off-site storage.
(x) Gain an understanding of the methodology used to
develop the existing disaster recovery/ business
resumption plan. Who participated in the
development effort?
(xi) Gain an understanding of the methodology used to
develop the existing business impact analysis.
(xii) Determine if recommendations made by the external
firm who produced the business impact analysis
have been implemented or otherwise addressed.
(xiii) Have resources been allocated to prevent the
disaster recovery/ business resumption plan from
becoming outdated and ineffective?
(xiv) Determine if the plan is dated each time that it is
revised so that the most current version will be used
if needed.
(xv) Determine if the plan has been updated within past
12 months.
(xvi) Determine all the locations where the disaster
recovery/ business resumption plan is stored. Are
 there a variety of locations to ensure that the plan
will survive disasters and will be available to those
that need them?
(xvii) Review information backup procedures in general.
The availability of backup data could be critical in
minimising the time needed for recovery.
(xviii) Interview functional area managers or key
employees to determine their understanding of the
disaster recovery/ business resumption plan. Do
they have a clear understanding of their role in
working towards the resumption of normal
operations?
(xix) Does the disaster recovery/ business resumption
plan include provisions for Personnel
 Have key employees seen the plan and are all
employees aware that there is such a plan? Have
employees been told their specific roles and
responsibilities if the disaster recovery/ business
resumption plan is put into effect?
 Does the disaster recovery/ business resumption plan
 include contact information of key employees, especially
after working hours?
 Does the disaster recovery/ business resumption plan
include provisions for people with special needs?
 Does the disaster recovery/ business resumption plan
have a provision for replacement staff when necessary?

(xx) Building, Utilities and Transportation

 Does the disaster recovery/ business resumption plan
have a provision for having a building engineer inspect
the building and facilities soon after a disaster so that
damage can be identified and repaired to make the
premises safe for the return of employees as soon as
possible?
 Does the disaster recovery/business resumption plan
consider the need for alternative shelter, if needed?
Alternatives in the immediate area may be affected by
the same disaster.
 Review any agreements for use of backup facilities.
 Verify that the backup facilities are adequate based on
 projected needs (telecommunications, utilities, etc.). Will
the site be secure?
 Does the disaster recovery/ business resumption plan
consider the failure of electrical power, natural gas, toxic
chemical containers, and pipes?
 Are building safety features regularly inspected and
tested?
 Does the plan consider the disruption of transportation
systems? This could affect the ability of employees to
report to work or return home. It could also affect the
ability of vendors to provide the goods needed in the
recovery effort.

(xxi) Information Technology
 Determine if the plan reflects the current IT
environment.
 Determine if the plan includes prioritisation of critical
applications and systems.
 Determine if the plan includes time requirements for
recovery/availability of each critical system, and that they
 are reasonable.
 Does the disaster recovery/ business resumption plan
include arrangements for emergency
telecommunications?
 Is there a plan for alternate means of data
transmission if the computer network is interrupted? Has
the security of alternate methods been considered?
 Determine if a testing schedule exists and is adequate
(at least annually). Verify the date of the last test.
Determine if weaknesses identified in the last tests were
corrected.

(xxii) Administrative Procedures
 Does the disaster recovery/ business resumption plan
cover administrative and management aspects in
addition to operations? Is there a management plan to
maintain operations if the building is severely damaged
or if access to the building is denied or limited for an
extended period of time?
 Is there a designated emergency operations center
 where incident management teams can coordinate
response and recovery?
 Determine if the disaster recovery/ business
resumption plan covers procedures for disaster
declaration, general shutdown and migration of
operations to the backup facility.
 Have essential records been identified? Do we have a
duplicate set of essential records stored in a secure
location?
 To facilitate retrieval, are essential records separated
from those that will not be needed immediately?

(xxiii) Does the disaster recovery/ business resumption
plan include the names and numbers of suppliers of
essential equipment and other material?
(xxiv) Does the disaster recovery/ business resumption
plan include provisions for the approval to expend
funds that were not budgeted for the period?
Recovery may be costly.
(xxv) Has executive management assigned the necessary
resources for plan development, concurred with the
selection of essential activities and priority for
recovery, agreed to back-up arrangements and the
costs involved, and are prepared to authorise
activation of the plan should the need arise.